Cdm authorisation and access control¶

It is evident that the cdm library needs authorisation and access control. There are library methods which need to protected from unauthorised execution and there is also the data which is exposed by the library. Not all data should be visible to every user so a row level access control is needed.

Questions¶

1. Do we need a access control in the web service (cdmlib-remote) or is it sufficient to protect the service layer. As long web service controllers are not using DAO (cdmlib-persistence) methods directly it should not be necessary.

Use cases¶

A. a specific classification sub tree must not be publicly visible in the data portal and thus must be also hidden in the web service responses

B. a specific classification sub tree is only visible for user which have a specific role_ but the user is not granted to *edit anything in/below it

C. A user is only granted to edit descriptions

D. A user is only granted to edit structured descriptions

E. Combinations of A, B and C, D must be possible

F. Only users with the role Admin or the user in question it self are allowed to change passwords

G.

Special cases:

• @TaxonNames@ can potentially be shared between different taxa, thus a situation may occur where a user has grants to edit taxon A but not for taxon B, but both taxa are sharing the same name. How will we handle this situation, should the name be cloned when the user starts editing taxon A, so that taxon A has another name entity than taxon B after the user saved the latest changes?

• The same problem as described above for TaxonNames also accounts for @References@, but in this case the problem is more severe since references are very often part of multiple taxon names.